An exercise in security: Best practices for the naïve end user?

[elux]

So Bitcoinica got rooted and robbed. In expectation of the announced mass leak, I've got an exercise for you ninjas.

Assume for a minute that:

• My name is Joe Average. Hello.
• I love my Bitcoins. I have a good number of them for some reason.
• I'm completely naïve when it comes to securing my accounts.
• I'm of reasonable intelligence and able to carry out simple instructions.
• I prefer to use the login javerage across all services, and I like the password JoeBitcoin123.
• I have an account with every major money-handling merchant, service and exchange.

What steps should I follow to manage my credentials in a more safe, more sane manner?

Securing the wallet is already covered, so we can assume that my Bitcoin Retirement Fund is stored on a stick in some secure vault.

Consequently, I'm mostly concerned with risks involving the compromise of 3rd party services.

Some sub-problems:

• How do I produce sufficiently strong passwords for each account?
• How do I store and retrieve tens of strong passwords safely?
• How do I keep track of logins, passwords, email addresses, and other account data
  across tens of services over several years, for use by many devices?
• What precautions should I take when sites get compromised, when account data gets leaked?
• How do I stop myself from eventually being lazy, eventually getting robbed?

How do you stay safe?

[Realpra]

I have a "safe password" (two actually) and one I use for everything.

safe one(s) used for email, paypal and bitcoin.

BTC wallet in the cloud has been secured with two passwords (safe/unsafe both), on disk is always encrypted with one (the safe one).

[Serge]

use a password manager, something like KeePass, it's available to all common OS' including smartphones
password manager will also help you choose strong passwords
don't use same password at multiple locations
additionally same password manager will help you keep safe other associated credentials, notes, etc
keep a backup of its database

[apetersson]

i used the "multi-tier" password strategy as well before entering bitcoin, and thought it is reasonably secure.

when i saw what was going on in bitcoin i abandoned this idea, because really, you cannot trust anyone to keep your data safe, even if they have the best intentions.

today i have a totally seperate password for each service. i write them down on a non-network connected device which uses a software to encrypt my passwords.
i do not remember most of my passwords, but i use password reset quite often

for quite powerful passwords you could use http://www.passwordcard.org

[Agent Provocateur]

I'm creating a new pw with min. 13 chars for every service or task & store 'em in a pwcontainer on an old iPaq, which is never data-connected to whatever. In case of iPaq failure pws are written down and stored safely.

Besides pwsecurity for the average user I'm more interested in something I've read on this forum: the RPC-attack on bitcoinqt. I've read the attack can be avoided through setting up a propper bitcoin.conf in the /appdata, with: RPC user & pw set, allowing only trusted nodes, disallowing irc-connection, localhost's rpcs allowed only,...too much for the average user.
Neither a bitcoin.conf with a minimum of security settings is created when installing the client nor can I identify trusted nodes. Where to find a list of trusted nodes and how can I be sure they're safe?
Maybe such a standard-bitcoin.conf is surcharged or this is just a minor issue, but I thought it should me mentioned when talking about security-standards to the average user.

[mav]

I highly recommend http://passwordmaker.org/

It's a simple way to make a unique strong password for each site using one master password. It has convenient plugins for all browsers.